FreeBSD11982747-544C-11EE-AC3E-A04A5EDF46D9routinator -- multiple vulnerabilities
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
0.001 Low
EPSS
Percentile
19.2%
NLnet Labs report:
This release fixes two issues in Routinator that can be exploited
remotely by rogue RPKI CAs and repositories. We therefore advise all
users of Routinator to upgrade to this release at their earliest
convenience.
The first issue, CVE-2022-39915, can lead to Routinator crashing
when trying to decode certain illegal RPKI objects.
The second issue, CVE-2022-39916, only affects users that have the
rrdp-keep-responses option enabled which allows storing all received
RRDP responses on disk. Because the file name for these responses is
derived from the URI and the path wasn’t checked properly, a RRDP URI
could be constructed that results in the response stored outside the
directory, possibly overwriting existing files.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | routinator | < 0.12.2 | UNKNOWN |
Related
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
0.001 Low
EPSS
Percentile
19.2%